-
Bug
-
Resolution: Fixed
-
Low
-
2.10.1
-
16
-
Severity 3 - Minor
-
4
-
Description
When the user tries to disable a user from a delegated user directory, it will get an error stating that the directory is read-only. The delegated directory is configured with read and write permission.
Environment
- Confluence v6.1.0
- Embedded Crowd v2.10
- Embedded Crowd v2.3.3
Steps to reproduce
- Configure a delegated directory in Confluence
- Login with the delegated user to copy the user details to Confluence database
- Logout and login as the Confluence admin
- Go to the delegated user profile and disable the user
Expected Behavior
The user is disabled
Actual Result
Following error message appears in the logs.
2017-05-11 06:52:56,972 ERROR [http-nio-8080-exec-2] [confluence.user.crowd.CrowdDisabledUserManager] disableUser Could not disable user -- referer: http://confluence.ju.globaz.ch/admin/users/deactivateuser.action?username=jpa | url: /admin/users/deactivateuser-confirm.action | traceId: 3c79ebb000d44063 | userName: RPE | action: deactivateuser-confirm com.atlassian.crowd.exception.OperationNotPermittedException: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update user 'jpa' because directory 'Delegated LDAP Authentication' does not allow updates. Caused by: com.atlassian.crowd.exception.ApplicationPermissionException: Cannot update user 'jpa' because directory 'Delegated LDAP Authentication' does not allow updates.
After some investigation, it turns out Delegated Directory does not have "'UPDATE_USER'" permission in the database, inside the "CWD_DIRECTORY" table. This can be checked by the following SQL query:
SELECT COUNT(*) FROM CWD_DIRECTORY_OPERATION O, CWD_DIRECTORY D WHERE O.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<name of the directory>';
Note
- This issue does not happen in Confluence 6.0.3
- Which was having Embedded Crowd version 2.8.8
Workaround
Run the following query to check if the permission granted for the directory.
#Query 1 SELECT COUNT(*) FROM CWD_DIRECTORY_OPERATION O, CWD_DIRECTORY D WHERE O.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<name of the directory>'; #Query 2 SELECT COUNT(*) FROM CWD_APP_DIR_OPERATION O, CWD_APP_DIR_MAPPING M, CWD_DIRECTORY D WHERE O.APP_DIR_MAPPING_ID=M.ID AND M.DIRECTORY_ID=D.ID AND D.DIRECTORY_NAME='<name of the directory>';
If the result of the query is less than 12, please insert the missing permission with the following query.
INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_GROUP'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_ROLE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'CREATE_USER'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_GROUP'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_ROLE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'DELETE_USER'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_GROUP'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_GROUP_ATTRIBUTE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_ROLE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_ROLE_ATTRIBUTE'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_USER'); INSERT INTO CWD_DIRECTORY_OPERATION VALUES(<directory-id>, 'UPDATE_USER_ATTRIBUTE');
Replace the <directory-id> with the problematic directory. For more details, please refer to this documentation.
Please note that modifying the database is dangerous and do remember to generate a database dump before performing it.
